Voyant Strategies ContentCatcher Best Practice for E-Mail Gateway Security and Enterprise-class Spam Filtering tm No one can argue that E-mail has become one of the most important tools for the successful Enterprise. Advancements in E-mail technologies have made E-mail a viable replacement for many of the communications that used to be carried by Phone, Fax, or Paper. However there are those out there that want to exploit E-mail for their own possible malevolent uses. Spam (Unsolicited Commercial E-mail or UCE), Viruses, Trojans, and relaying attempts all threaten a company's ability to properly and productively conduct business. E-Mail Threat Facts - Mail-borne Viruses and Trojans do not require action on the user's part to cause a major outbreak across your enterprise. - Employees waste hours daily simply reading and deleting Spam. Business processes are interrupted by the constant influx of unwanted messages. - Spammers try to use your mail server to relay their junk mail, wasting your valuable network, Internet, and server availability. - Implementing a quarantine- or delete-based Spam Control system will result in lost legitimate mail. While this might be acceptable for a personal e-mail box, business communications are much too important to withstand that level of risk. - Mail Administrators lose productivity to internally managing Spam solutions. Traditional methods of tackling this problem Most solutions forget the key elements when it comes to E-mail Management, by focusing on taking care of a single part of the problem well, but fail when it comes to an effective overall solution. Some solutions cause more problems than they solve. 1) Antivirus a. Most antivirus solutions only scan E-mail for known viruses. If the virus is not known then it simply walks past the antivirus scanner leaving you vulnerable until your antivirus software vendor updates their virus patterns. b. Those antivirus solutions that do block content based on attachment name will quarantine the E-mail or attachment or even delete the mail. i. If it quarantines the mail or attachment, it requires an administrator to either allow the attachment or delete the quarantined e-mail. ii. It is up to you to define what content to catch- usually by keywords. This is a highly ineffective method, as Spammers have become experts at fooling these primitive methods of detecting unwanted content.
2) Spam Management: a. Most Spam Management packages are "all or nothing" solutions. If messages are identified as Spam, they are: i. Tagged as Spam and sent on to the recipient, where the user still must deal with the message, and your systems and storage infrastructure still handles the data as if it were valid (i.e. backup, disk, disaster recovery, WAN traffic, etc.) 3) Relay Blocking: ii. Deleted and not delivered, which will always result in some lost legitimate mail. iii. Stored in a quarantine mail area, which requires a Mail Administrator to monitor and manage, and also requires the end user to be aware of the missing message. The risk of legitimate mail not getting to the recipient is still very high, unless there are dedicated personnel available to manually go through all quarantined message to determine what is good and what is not. iv. Reliant on a single method of identifying it as Spam. As new Spam sending and creation techniques are developed the detection methods that are used quickly become outdated. Your company's mail administrators are responsible for keeping up to date with the rapidly changing methods used by Spammers. a. Many E-mail servers will be an "open relay" for third parties to exploit for their own use. This allows Spammers to reach their targets without being held accountable. b. Many solutions rely solely on the use of Real Time Block Lists (RBL) for determining if mail should be accepted by your company's system. While RBL's are a good method to determine the validity of a mail server, many RBL's are overzealous when it comes to listing suspected Spam servers, or make it nearly impossible for legitimate organizations to get off the lists. The overall result is a high loss of legitimate E-mail. The Solution - ContentCatcher from Voyant Strategies Every E-mail is closely scrutinized from the moment the sending mail server connects to ContentCatcher to final delivery to your mail system for your employees. How ContentCatcher is different: We take the load off by becoming your company's primary Internet gateway for inbound mail. We take the brunt of connection and relay attempts to your E-mail server; this increases the availability and performance of your e-mail server and Internet connection. Since ContentCatcher traps and holds mail of questionable content on our systems, we reduce the amount of e-mail traffic going to your company's mail server. Each user gets their own web based E-mail Quarantine area which they can easily manage themselves, so your company's mail administrators do not have to take an interactive role in Spam management. Our user and administrative interface is designed so that anyone with a "Yahoo Mail" level of web familiarity can effectively use the system. Thanks to our patent-pending RR-Authorizetm functionality, users do not need to actively "whitelist" their communications partners. By simply requesting a read receipt for messages they send out, ContentCatcher will automatically learn who their valid business/communications partners are. This takes an enormous burden off of both the e-mail administrator and the user. ContentCatcher takes potentially dangerous attachment handling to a new level. Instead of quarantining the mail, which contains the potentially dangerous attachment, ContentCatcher optionally renders the attachment to a neutral state that cannot be automatically or accidentally executed. This greatly reduces the risk of mydoom or netsky-like viruses from infecting your network, but also allows your company's employees to receive the attachments which may be critical to your business, all without having to involve your company's mail administrators. We stay ahead of the curve by keeping close tabs on the new tools that Spammers may use as they are developed. ContentCatcher is constantly being updated to handle the new threats, many times even before they are even used! Since ContentCatcher is delivered as a managed service, you don't need to do anything to stay up-to-date.
ContentCatcher's developers work closely with the Anti-Spam community, making regular submissions of confirmed Spam sources to worldwide real time Block Lists. Should a message get identified as Spam that shouldn't have, ContentCatcher makes sure that "the tree doesn't fall in the forest", by notifying users twice daily only of messages that have a higher probability of being a false positive. This is great for users that receive hundreds of Spam messages per day, as they don't have to wade through all of these messages to make sure that they haven't missed something; in most cases these notifications only include 4-5 messages. With a custom database of hundreds of known domains and servers that are used for nothing but Spam, ContentCatcher's engineers ensure that Spammers are blocked, and will remain blocked even if they are removed from other Real Time Block Lists. If a valid sender ends up on a Block List, the ContentCatcher team has the ability to quickly bypass the block lists for selected senders, domains, or IP addresses. We will also help any sender that has ended up on a block list get off. The Recipient or User Factor: 1) Unlike other mail systems that delete mail which was identified as Spam, ContentCatcher stores those mails for each individual recipient. One person's Spam may be legitimate E-mail for someone else. 2) Every message that is sent to a recipient's ContentCatcher mailbox system is viewable online, 24x7, without it having to be sent to your company's mail system, and without having to wait for a notification. The user can also search for a message by keyword or sender, without having to look through all the messages in their personal quarantine. 3) Every Registered Recipient registered with ContentCatcher is able to easily define their own specific rules through a single web page, with no technical knowledge: a. How long to keep mail which has been identified as Spam before the system automatically removes it from their ContentCatcher mailbox; b. Automatically allow through mail from specific E-mail addresses or domains regardless if it the mail has been identified as Spam; c. What mail score below which they wish to have mail passed through (administrative option); d. What mail score above which they do not wish to be notified; e. What time of day to receive the notifications; f. Automatically allow mail based on a keyword. More than just Content Management: 1) We can redirect mail destined for one employee to another, alleviating the need for your mail system to maintain the mailbox of an employee that is no longer with the company, or has changed jobs. 2) We can 'bounce' mail for employees that should not be receiving Internet mail or are no longer with the company. By allowing ContentCatcher to do this we remove the burden of your mail server having to send and receive mail for employees which should not be able to receive Internet mail, and send rejection notices to the senders. 3) ContentCatcher is able to remap entire Internet mail domains, and still maintain the integrity of the original message - perfect for the company that has multiple Internet domains, but only uses one for Internet mail, or for mergers and acquisitions. ContentCatcher can receive mail for your other domains and deliver them to your desired domain.
How It Works: Every E-mail which comes into ContentCatcher goes through a highly refined system of tests from the moment the sending E-mail system connects to a ContentCatcher Server. Only if all these tests are passed does mail get delivered to your mail system. The Tests Every E-mail goes through - (Please read the FAQ at the end for explanations and definitions) 1) RBL LOOKUP - Is the sending server Block Listed on a Real Time Block List of KNOWN Spam sources? If it is DROP the E-mail completely. 2) RELAY ATTEMPT - Mail is not from nor is it destined for any domain managed by ContentCatcher. If it is not DROP the E-mail completely. 3) RECIPIENT BLOCKING or REMAPPING - If you choose to make use of our Recipient blocking or redirecting, any mail destined to a listed recipient will be dropped or sent to another address. 4) RULES BASED Spam CHECK - Every E-mail is processed through several engines and hundreds of tests which have been developed to determine the intent of the E-mail. 5) SELF-LEARNING INFERENCE ENGINE - With every message it receives, our system gets more accurate. Also, any false positive or negative events are fed back into the engine to be 'tokenized' and improve future accuracy. We have also developed a method to prevent 'poisoning' of our engine by spammers attempting to do so. 6) SPF CHECK - Verifies that mail purported to be from a source that uses the SPF standard is, in fact, from that source. 7) GREY LIST LOOKUP - Very similar to the Block List Lookup, however these lists are not used to drop mail. Instead they are used to identify the likely hood that the E-mail came from an Open Relay mail server. ContentCatcher DOES NOT DROP E-MAIL BASED ON THIS LOOKUP. 8) DOUBLE ANTIVIRUS SCAN- Every E-mail is scanned by two different antivirus technologies. 9) ATTACHMENT CHECK - Scan the E-mail for potentially harmful attachments such as MS-Windows executables (.exe,.com,.bat,.vbs, etc.). If those types of attachments are found and are not a virus, ContentCatcher alters the attachment so it can not be automatically executed or accidentally executed. 10) MESSAGE DISPOSITION - If the E-mail passes all the tests, it then sent on to your company's mail server. If it is determined or tagged as Spam, the mail is then sent to the Recipient's ContentCatcher E-mail box. 11) RECIPIENT RULES - Every E-mail that is sent to ContentCatcher's Recipient Mail box undergoes Mailbox-Specific Rules that can be easily defined by each individual Recipient that is registered with ContentCatcher. If the mail has been tagged as Spam, the user still may have his/her own rules that will tell ContentCatcher to send the mail on anyway (i.e. newsletters, certain keywords, certain sender domains, etc.). 12) AUTO-DELETE - By default, all mail which goes into a recipients ContentCatcher's mail box will be deleted in 14 days. Users and Administrators can change this setting to fit each individual's needs.
Summary ContentCatcher is the best solution for providing e-mail security, increasing the return on E-mail investment, and significantly reducing the wasted resources that E-mail borne problems cause, while maintaining the highest integrity of E-mail that your company demands. ContentCatcher removes the undue burden that undesirable E-mail has placed on your company's Internet Connection, servers, IT Staff, and your company's most valuable asset; your employees.
FAQ & Definitions: 1) What is an RBL? a. An RBL is a Real Time Block List containing the internet addresses of mail servers that meet a certain criteria: i. Known Spam Source - The mail server has been used regularly to send Spam. ii. Open Relay/Proxy/Unsecured Mail Server - The mail server will send out mail from anyone to anyone, disregarding the validly of E-mail headers, Addresses, and anything else which pertains to the integrity of the E-mail. This is the most commonly used method for Spammers to send out their Spam since they simply pass on the work of sending their Spam to a system whose administrator either does not care, incorrectly configured, or has not secured their mail server. Accepting mail from these servers is a high risk for not only Spam, but also viruses that spread using their own built in SMTP mail delivery server. iii. ISP Published Dialup Address Pool - Many ISPs publish a listing of their dialup address pools. Since these address pools hand out addresses dynamically, No Legitimate mail server can exist using an ISP's dialup Address. Most ISP's require that dialup clients relay mail through their mail relay server. 2) What will cause e-mail to get dropped completely? a. The sending mail server is listed as a know Spam Source in a selected RBL - See Below for reasoning. b. The recipient has been listed as an e-mail address that should not receive e-mail. c. The E-mail contains a known virus. d. The E-mail has expired in the recipient's ContentCatcher's mail box and has been Auto-Deleted. 3) How do you determine a known Spam Source? a. RBL lookups. b. Local Block List Lookups 4) Aren't RBL's bad? Don't they cause a lot of 'False Positives' and as a result lose a lot of legitimate e-mail? a. Not all RBL's are created or maintained equally. We very carefully chose which RBL's we use based on: i. Listing known Spam sources.ii. How easy it is for a legitimate mail server to get removed from the list once it has been secured or action taken against those that have abused the mail server. iii. The RBL lists specific mail server addresses. It does not list entire address blocks, domains, or ISPs. iv. If the RBL is listing and Open Relay, the RBL must have performed its own Relay Check and not rely on the submission of a third party. 5) A mail that was sent was blocked because their mail server was on an RBL. What can be done about it? a. We can bypass RBL lists for a sender if they aren't able to remove themselves from a given list. As a service to our customers, we give the senders our contact information so that we can assist them in getting off the lists, AT NO CHARGE TO THEM. b. Before any mail server is listed on the RBL's we make use of, the RBL attempted to contact the mail server's administrator by e-mail making use of E-mail addresses which are required to meet internet standards. If the mail administrator ignores, or the mail server is not configured to properly accept mail to the addresses which Internet standards dictate, then it will likely be listed on the RBL. 6) How do you determine what domains and mail servers are put on the Local RBL, which your developers maintain? a. Many Spammers own dozens, if not hundreds, of Internet addresses. As a result they simply rotate through their Internet addresses
swapping addresses that are Block Listed with addresses that are not, and getting those that are listed removed from the Block Lists. To respond to this, we maintain a list of those domains, which are owned by Spammers and reject mail from their domain regardless of what Internet address they use. b. Our developers maintain dozens of "honey pot" E-mail addresses that are used for nothing more then to collect Spam. We monitor those mail boxes very closely to determine the real sources of the Spam and then investigate those sources. They also allow our developers to improve the quality of the overall ContentCatcher system. 7) How do you modify executable attachments? a. Change the defined attachment type b. Rename the attachment to a name that is NOT executable. 8) Why not remove the attachment completely? a. All too often there is a legitimate reason for executable attachments, such as software updates. 9) Why do you rename the attachment? a. By renaming the attachment, it still allows the attachment to come through, but removes the ability of automatic or accidental execution. b. If in the event it is an unknown virus, it buys more time, as the person must save/detach the attachment to disk, rename the attachment, then execute it, giving your systems antivirus system more time to update its virus definitions. Keep in mind that we are also scanning the mail for viruses, and we update our signature files dozens of times per day. c. Most people, unless they need the executable attachment, will not waste the time to go through the steps required to make use of the attachment. 10) What is the GREY LIST LOOKUP? a. The Grey List lookup is similar to the RBL list lookup, however we have found that they are too far reaching and over zealous to be relied upon for full RBL use. b. If a Mail Server is on the Grey List, ContentCatcher adds a small amount to the 'Spam Probability' already assigned to the E-mail. c. ContentCatcher will NEVER DROP an e-mail solely because the sending mail server was listed in a Grey List. 11) Why would a legitimate E-mail become tagged as Spam? a. There are certain things that Spammers use to get someone's attention once it has been received. Occasionally legitimate e-mail will show enough of these characteristics and will be falsely identified as Spam. Some the more common ones are: i. Use of bright colored fonts. ii. Excessive use of certain attention grabbing characters such as '!', '#', and '$' iii. Free E-mail accounts that append advertising to the bottom of all the E-mail that goes out. (Legitimate e-mail that carries Spam). b. Users can easily tune their settings to allow mail from certain senders, and that contains certain keywords to get through, and these rules will optimize their e-mail content over a short period of time (especially if they utilize our patented read-receipt functionality), so that if mail gets through, they can be confident that they need to read it.
Corporate Headquarters 45 Village Court Hazlet, NJ 07730 (800) 463-7290 www.voyantinc.com Copyright 2004 Voyant Strategies, Inc. All rights reserved. Voyant Strategies, VS/Secure, ContentCatcher, and the Voyant Strategies logo are registered trademarks of Voyant Strategies, Inc. or its affiliates in the U.S. and certain other countries. All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner or team does not imply a partnership relationship between Voyant Strategies and any other company.